I'm very sorry to hear about this.
I guess the time span and amount of instances you have been running, you probably have not kept any or may disk images or logfiles.
It would be interesting to find out how your wallet or hosts have been compromised. My guesses would be via a disk image or via ssh and weak credentials.
Some suggestions to miners about what can you do with ssh to improve security.
- Open up ssh only to what is necessary. 0.0.0.0 is alot of addresses, not to mention IPv6 addresses. If you are using ec2, you can update the firewall from the web interface when your IP when you need to log in from elsewhere. If you are on DHCP (your ip address changes), you can use a subnet (eg, x.x.x.x/24) which will still greatly reduce your exposure to attack
- use ssh keys, not passwords
- keep your ssh private key secure (keep it only on the machines you need use to connect to instances, a backup on USB )
- you can encrypt your key with a passphrase, look into this and also ssh-agent
- If you must use windows, use anti virus software, scan regularly, keep it up to date. MacOS and Linux are not immune either
- If you muse use a password, use a strong one. http://en.wikipedia.org/wiki/Strong_password
- Check the documentation for sshd, and edit your ssh_config file, especially these options
- AllowUsers - use this option in sshd_config to whitelist the usernames you need to access your system
- PermitRootLogin - set this to no or without-password, use sudo to become root if you need to
- Don't run a sshd on the machine you use to connect to your instances if you don't need to. If you must, then secure that too.
ssh ports are being probed for weak passwords all the time. If you run sshd without a firewall, just look at the logs.
By running the primecoind daemon (or any coin for that matter) you publicize your IP number to others (and the fact that you probably have a wallet that might even cointain some coins in it)
Regarding wallets, I won't go into protecting your wallet or the best way to move your funds around but leaving copies of wallets lying around is not a good idea. Ideally a provider zeroes the disk when a customer stops using it but it may not always be the case, deleting a physical disk takes time.
When you are done using a machine and no longer need it's wallet file should can delete your wallet or even better, "wipe" (apt-get install wipe, wipe FILENAME) or write zeroes over it (dd if=/dev/zero of=PATHTOYOURWALLET bs=1024 count=100). WIth SSDs, you can't be sure that everything is ever deleted, but if the file is wiped or zeroed, you can be fairly sure that the file cannot be recovered without special tools and physical access to the disk, or without administrative access to the disk system in a larger provider. When you "rm" a file, usually, it is just the directory entry and list of block a file is using that is deleted. If not wiped or written over, it is possible for a file to be reconstructed.
Treat your wallet backups as you would treat your wallet, if someone finds your backup, it's almost as good as your wallet.dat
Ideally the ssh settings and user accounts are set on your first miner which you then clone.
Wiping the wallet could be made part of the shutdown script, make your you have a safe backup.